DIGITALEUROPE position on the proposal for a European Cybersecurity Competence Network and Centre

DIGITALEUROPE welcomes the European Commission’s proposal for a European Cybersecurity Competence Network and Centre. The creation of a European Cybersecurity Competence Centre, together with a Network of National Coordination Centres, has the potential to harmonise the currently fragmented cybersecurity market and increase the EU’s competitiveness.

Although the goal of the proposal is welcomed, DIGITALEUROPE urges the co-legislators to better incorporate industry input in the governance of the proposal. Research, innovation and development of cybersecurity capacities require the involvement of all stakeholders in the global supply chain. Failure to consider the global nature of industry solutions will deprive Europe of crucial solutions, resources and instruments.

In this position paper we highlight areas where the proposal could more effectively support the following goals:

Broader consideration of the EU market within the global nature of the ICT supply chain;

More bottom-up approach that includes industry, especially the demand side, providing input to the governance and decision-making of the Competence Centre through either the Advisory Board or the Governing Board;

In order to tackle cyber threats, consideration for reduction of the vulnerabilities of critical infrastructures, e.g. expanding the scope of the Community for security research and fostering greater sharing of sensitive non-classified information;

Inclusion of non-EU products from markets which will fall under the scope of the Centre, e.g. public administration and critical infrastructures; and

Greater promotion of the use and worldwide exploitation of research results, ultimately strengthening Europe’s position as a global leader in cybersecurity on the global stage.

Mission and objectives of the Centre: arts. 3-4

DIGITALEUROPE recommends that the mission of the Centre should be extended to include support to the integration of EU cybersecurity technologies in the global supply chain.

The mission of the proposed Centre is to retain and develop cybersecurity capacity in the Digital Single Market. It is essential to remember that supply chains are global, and that products and services integrate technologies from companies globally. Equally, global supply chains also incorporate the open source software community.

In order for the Centre to harness the most up-to-date cybersecurity solutions, the Centre should incorporate cybersecurity solutions into products irrespective of their origin. The diversity of global cybersecurity solutions available in the market will allow for greater choice for consumers alongside raising the level of the required security.

Similarly, the European Cybersecurity Certification Framework aims to improve the overall security of products being placed on the EU market. The Centre should complement this Framework via the development of certified products whilst maintaining a more global approach.

Governance of the Centre, Network of National Centres, and Community: arts. 8, 9, 10, 12, 15 and 18

Research, innovation and the development of any new capacities require the involvement of all stakeholders in the supply chain – customers, the research community and the private sector. Without granting a platform for industry to provide valuable input, the proposal will be faced with challenges in addressing market shortages of cybersecurity solutions, resources and instruments.

The proposal envisions the creation of a Governing Board tasked with the ‘strategic orientation and the operations of the Competence Centre.’ Under this proposed format, the current voting weight of the European Commission is disproportionate and grants the Commission a larger share of voting (50% of the votes). In addition, the Governing Board does not include industry input.

Although light representation of industry stakeholders is embedded within the proposed Cybersecurity Competence Community and the Industrial and Scientific Advisory Board, there is no clarity as to the impact of the work that this Advisory Board will have on the strategic decisions taken by the Governing Board.

Moreover, the Advisory Board will have ‘no more than 16 seats’ accommodating representatives from various stakeholder groups: the private sector (including SMEs, demand and supply side, all sectors), academics, consumer organisations, JRC, ENISA, etc. At a working group level, depending on the type of expertise required, broader participation from industry will be required to allow the sharing of best practices and provide highly valuable input.

When it comes to consistency with existing mechanisms, DIGITALEUROPE suggests that the roles of ENISA, Europol, the EDA and CERT-EU should be more clearly defined to increase their impact and transparency with the new initiative.

Tasks of the Community: art. 9

The proposed Cybersecurity Competence Community will be tasked with contributing to the reinforcement of cybersecurity research. Security research in the ICT sector can shed light on vulnerabilities, whether found in products provided by companies or in services provided by government institutions. Software and hardware vulnerabilities have been at the core of many recent, high-profile cybersecurity incidents.

It is imperative that security researchers be provided with clear guidelines in order to allow for all stakeholders to coordinate the disclosure of vulnerabilities. By doing so, vulnerabilities will be much more easily identified before any serious incidents can occur.

The Community should also be tasked with providing and contributing towards security ethical research guidelines. Most notably this research would be fed into the responsibility for the disclosure of Coordinated Vulnerability Disclosures (CVD) and in particular how these vulnerabilities are actually disclosed. This is essential because at the moment the CVD process is conducted at a more bilateral level (discoverer of vulnerability to the affected vendor).

Therefore, the Community should be enabled to collectively provide guidance on how the utilisation of CVD can drastically reduce vulnerabilities in critical infrastructures. This can be done through a process that ensures the disclosure of a vulnerability is conducted with more coordination with the service owners/providers who are developing a ‘patch’ for implementation that will limit the exploitation of such a vulnerability.

Finally, there appear to be no incentives proposed for the involvement of cybersecurity professionals in the Community. Art. 9 should state clearly the benefits and incentives for involvement in the Community and not only focus on tasks and obligations in order to attract the global top experts. A lack of incentives for cybersecurity experts to join will frustrate the development and high-level expertise required for the Community to be truly effective.

Transparency of the Centre and sharing information: arts. 35-36

DIGITALEUROPE advocates that in order to effectively combat global cyber threats, the Competence Centre should facilitate information sharing as part of the CVD process.

The protection of confidential, sensitive non-classified or commercially sensitive information should not inhibit sharing information within the Community for security research and for the reduction of vulnerabilities of critical infrastructures.

Establishment of market barriers for products originating from third countries: arts. 3, 4(4)(C) and 5(2)

DIGITALEUROPE is concerned that unintended market barriers may be result from the proposal’s focus on increasing the competitiveness of the EU cybersecurity solutions industry.

This is reflected in Art. 3 as well as Arts. 4 and 5, which cover the supporting role the Centre will play towards public authorities and members of the Network or of the Community in the adoption, integration or procurement of cybersecurity solutions. The involvement of the Centre in such activity therefore risks distorting and fragmenting the ICT market.

Use and exploitation of results: art. 34(2)

The strict use and exploitation of grant results imposed by the proposal (Art. 34), especially targeting the retaining of results in Europe, does not consider companies’ business reality. This may therefore create a lack of interest for companies to join European actions and ultimately isolate the EU.

In addition, Art. 34 prevents the analysis of the results from Horizon Europe projects by globally active organisations. This is a by-product of the overall lack of incorporation of non-European organisations in the Community that is reiterated throughout the proposal.